1
Smart Bruteforcing Automated Exploitation Manual Exploitation Social Engineering Campaign Web App Scanning & Exploitation GAIN ACCESS Port Scan (Nmap) Vulnerability Scan (Rapid7 Nexpose) Manually Add Device DISCOVER DEVICES COLLECT EVIDENCE Command Shell Session Meterpreter Session Manual Authentication Impersonate Administrator Proxy & VPN Pivoting TAKE CONTROL Every penetration tester has a slightly different method, and assessments depend on the environment and goals. That said, here are the stages of a typical security assessment: KEY CONSIDERATIONS FOR YOUR NEXT PENETRATION TEST WHY PENETRATION TESTING? People conduct penetration tests for a number of reasons: Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking real world attacks. Think about it as quality assurance for your IT security. PENETRATION TESTING? Ask, “What is the most important digital asset my company needs to protect?” Then instruct the penetration tester to try to access those systems. SET THE SCOPE Ensure that the person carrying out a penetration test on your systems is qualified to do so. Avoid issues with your production environment. CONDUCT THE TEST SAFELY Do you have enough work to employ a penetration tester full-time? You may want a truly independent assessment, which means enlisting an external penetration tester with a fresh set of eyes. IN-HOUSE VS. OUTSOURCED Whether you’re hiring an internal penetration tester or a consultant, make sure they are well trained and highly trustworthy. SELECT THE RIGHT PERSON FOR A MORE DETAILED GUIDE ON PENETRATION TESTING PRINCIPLES AND BEST PRACTICES, DOWNLOAD THE WHITEPAPER: www.rapid7.com/what-is-penetration-testing Check security controls Prevent data braches Meet compliance requirements Get a baseline for your security program Ensure security of new applications Assess incident detection and response effectiveness Automated Evidence Collection Modules Live Reporting Collect Credentials Collect Loot (PII, PHI, IP, and card-holder data)
